tinny123 t1_j1hjr26 wrote on December 24, 2022 at 11:56 AM

Reply to comment by Fit-Anything8352 in The Lastpass hack was worse than the company first reported by glawgii

Tech novice here. Dont use lastpass. Dont trust it.

But if the hackers have all this data, are current users who attempt to sign in with their master password at risk because the vaults were hacked and stolen.?

VellDarksbane t1_j1hphea wrote on December 24, 2022 at 1:07 PM

Assuming everything is implemented in the way Lastpass says it is, only if the attackers were still in the network, and had setup a system to scrape passwords. From what they’re saying, the attackers grabbed the encrypted vaults, which are useless without the master password, so anyone with a strong master password that hadn’t been reused anywhere will be fine.

There are options for password managers if you don’t trust lastpass, such as keepass, which stores the database locally, so no third party has any ability to view them. You then have to worry about backing up the database itself to avoid a hard drive going bad wiping out your password vault, but it is free iirc.

GlitteringAccident31 t1_j1htsf1 wrote on December 24, 2022 at 1:52 PM

I think serving this locally for 99pct of users is much more error prone.

Backing up to the cloud, serving from an instance for availability across devices, backups on a bucket somewhere. so many possible attack vectors.

Bitwarden is free as well

VellDarksbane t1_j1jkgmp wrote on December 24, 2022 at 9:44 PM

I agree, but being more error prone, and having to reset passwords more often, is better than password reuse for most users too. Lastpass, bitwarden, etc, all require you to trust the team you’re purchasing it from to some degree. Keepass is fully offline, with no ability to sync, except what you do to keep the file synced.

For most end users personal use, which is going to be many people in this thread, their backup is going to be a personal onedrive/icloud, a flash drive, or something like backblaze if they’re being fancy. They aren’t going to be configuring S3 buckets to keep their 50-100 password database backed up, if they back it up at all.